java - 使用代理时 Weblogic 会破坏 CXF 证书身份验证

Question

我在代码中配置了一个 CXF 客户端。它对 WS 服务器和代理设置使用证书身份验证（无需身份验证）。在单元测试和 Tomcat 上一切正常，但在 Weblogic 上部署时会中断。它通过代理，但不使用证书进行身份验证。奇怪的是，如果我不通过代理，证书身份验证工作。可能是什么问题？

我用于初始化客户端的代码：

 JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setEndpointName(SERVICE_NAME);
factory.setAddress("Address of the WS server");
factory.setServiceClass(MyService.class);
this.port = (MyService) factory.create();

Client client = ClientProxy.getClient(port);
HTTPConduit conduit = (HTTPConduit) client.getConduit();

//proxy settings
HTTPClientPolicy policy = new HTTPClientPolicy();
policy.setProxyServer("IP OF THE PROXY");
policy.setProxyServerPort("PORT OF THE PROXY");
conduit.setClient(policy);        

//TLS
KeyStore keyStore = KeyStore.getInstance(ARCHIVE_FILE_FORMAT);
keyFile = getKeyFileUrl().openStream();
keyStore.load(keyFile, getPassword().toCharArray());
KeyManager[] myKeyManagers = getKeyManagers(keyStore, getPassword());
TLSClientParameters tlsCP = new TLSClientParameters();
tlsCP.setKeyManagers(myKeyManagers);
tlsCP.setDisableCNCheck(true);
FiltersType cipherSuiteFilter = new FiltersType();
cipherSuiteFilter.getInclude().add(SSL_RSA_WITH_3_DES_EDE_CBC_SHA);
cipherSuiteFilter.getExclude().add(DH_ANON);
tlsCP.setCipherSuitesFilter(cipherSuiteFilter);
conduit.setTlsClientParameters(tlsCP);    

当我启用 SSL 调试时，我在日志文件中收到以下消息：

####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <weblogic user specified trustmanager validation status 0> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <SSLTrustValidator returns: 0> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: No trust failure, validateErr=0.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133524> <BEA-000000> <Performing hostname validation checks: www.cfmu.eurocontrol.int> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133524> <BEA-000000> <Proxying through 85.125.226.9> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133525> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Successfully completed post-handshake processing.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133526> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 230 bytesProduced = 261.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133528> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 1729 bytesProduced = 1786.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133627> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 733 bytesProduced = 705.> 

status=OK 是什么意思？我有 ssl 连接吗？那么为什么服务器发送响应就好像不使用证书一样。

我尝试过不同版本的 CXF（包括最新的 2.7.7）和不同版本的 weblogic。

Answer 1

当我阅读 Oracle 文档时，Weblogic Server 似乎拒绝证书链中没有定义为 CA 的基本约束扩展的任何证书。您可以使用命令行参数：

-Dweblogic.security.SSL.enforceConstraints=option

其中 option 可以是 'strong' 或 'true'、strict 或 off。查看文档：

http://docs.oracle.com/cd/E11035_01/wls100/secmanage/ssl.html#wp1194346

你设置了这个标志吗？

What worked:

启动您的 weblogic 服务器。转到“环境”下的“服务器”。单击服务器名称。在“常规”选项卡下，将 ClientCertProxyEnabled 标志设置为 true。

Answer 2

我前段时间遇到过同样的问题（CXF、相互 SSL 身份验证、代理服务器、weblogic），我修补了 CXF 客户端以应用（临时）解决方法（http://pastebin.com/VfKA7MRC），因为这是使用代理时 weblogic.net.https.HttpsClient.openServer() 方法自 10.3 以来 weblogic 代码中的一个错误。也许问题已经解决了，我已经有 1.5 年没有调查过了